FURTHER REFLECTIONS ON THE ROLES OF CONTROLLER AND PROCESSOR 
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Is it imaginable/lawful to have a processor that does not process (a “false Processor’)? This may be 
the case for example in group of undertakings, where the parent company stipulates agreements 
with third parties for services carried out for the benefit of the parent company itself, but also (or 
even, mainly) for the benefit of its subsidiaries; agreements which imply the processing of personal 
data, of which the subsidiaries are Controllers. 

In those cases, the parent company very often appears to act as Processor appointed by its parent 
companies, and appoints in turn the third party service contractor as subprocessor; but actually the 
parent company does not process data (and it does very often not hold the necessary skills, expertise 
etc. required by art. 28 GDPR). 


If the answer to point 1 is no, or in general, can an entity (for example, a parent company) stipulate 
data processing agreements with third party processors (contractors) on behalf of other entities (for 
example, its subsidiaries), which are Controllers? In other words, can someone act on behalf, but not 


in the name, of a Controller, and in such capacity appoint third parties as Processors of the Controller 
(without it being a Processor itself)? 


Is it lawful to have a Processor which is not chosen by the Controller, but is imposed to the Controller 
by a third party, who has an interest in the data processing but is not willing to appear as Controller 
itself? This might be the case of personal data banks held by marketing entities, who do not wish to 
appear as having a privacy (Controller) role, but leave that role (Controller) to those who benefit of 
their marketing services, at the same time imposing certain entities (on which they have an interest) 
as Processors to be mandatorily resorted to. 


Could the choice by Controller of a Processor (instead of another Processor, or of no Processor at all) 
be objected by the data subject? In other words, could the data subject deny the granting of his/her 


data to the Controller, or object to the processing by such Controller, simply because such data 
subject dislikes the Processors appointed by the Controller and processing his/her own data? 


In case of joint Controllership between an EU Controller and a Controller that does not fall in the 
territorial scope of GDPR as per its art. 3 (i.e., it does not meet the conditions under art. 3.2 GDPR) , 
does the extra EEA Controller need to appoint a representative in the EU, just for the fact of being a 
joint Controller with the EU one? Or could it be deemed to fall under the GDPR, just for the fact of 
being a joint Controller with the EU one? 


In case of joint Controllership between an EU Controller and an extra EEA Controller (regardless of 
the latter falling or not under art. 3.2 GDPR), do EU Commission standard contractual clauses (or 


other appropriate safeguards for transfers under GDPR) need to be stipulated between the two joint 
Controllers for the transfer of personal data outside EEA? 


Art. 82.1 GDPR: may the notion of “any person who has suffered material or non-material damage 
as a result of an infringement of this Regulation ...” also apply to Processor vis-a-vis its Controller, or 
vice-versa? Or could such “any person” be only a third party, be it an individual or an entity? 

Same for art. 82.2: could Controllers and Processors mentioned therein as being liable for damages, 
be liable for damages under art. 82 GDPR also one toward the other (Controller toward Processor, 
or vice-versa?) 


